Using LXC containers to (partially) replace Virtual Machines

Note: This post is the first that we write in English and even though till now all of them were written in Spanish, from now on we will publish content in both languages.

It doesn’t matter if it’s for doing pentests or participating in CTFs, preparing Virtual Machines for different systems and tools is a recurrent task.

For full blown virtualization the two main options are Virtual Box and the multiple flavors of VMWare, but (being an Ubuntu fan) I’ve been lately experimenting with LinuX Containers (LXC), a technology for Linux-based systems sometimes described as:

“something in the middle between a chroot and a full fledged virtual machine”

or

“lightweight virtualization technology. They are more akin to an enhanced chroot than to full virtualization like VMware or QEMU. They do not emulate hardware and containers share the same operating system as the host.”

Each option has its advantages and disadvantages:

There is almost no overhead in running a container, since everything is managed by the host kernel.

LXC containers use the host kernel and they are limited to Linux, so no Windows or OSX containers are feasible.

After this short introduction, in this post I will describe:

How to create a Kali-like unprivileged container starting from a Debian container.

How to “passthrough” devices to a container, like for example an USB RTL-SDR.

How to run GUI applications in a container.

Some general tips & tricks.

Everything explained here assumes that you are running an Ubuntu 14.04 (or a 12.04 with the 3.13 kernel) based host using the 1.0.x LXC branch (use this ppa for 12.04).

Most of the information showed here is just a recompilation from all this sources:

The only caveat with containers hardware passthrough is that anything that needs a modified kernel will only work if the host Kernel is modified.

Running GUI applications

Apart from running X11 applications trough a SSH we can also do it the “native” way, letting the unprivileged container access to the video-card devices (and even the audio server). For more information check this sources:

Tips & Tricks

Systemd based guests

When trying to containerize systemd based guests (like Arch Linux or Debian Jessie) we will need to use the current version of LXC (1.1.2 as of right now) and additional tools (like lxcfs). To get all those in supported versions of Ubuntu we will need to use the following PPA:

It should be noted that unprivileged containers and systemd are not working flawlessly right now, but as stated here:

More recent Debian is hitting a few systemd issues along the way but it eventually boots and seems functional, this will get resolved as Debian either updates to a more recent systemd or cherry-picks the various container fixes we committed to systemd upstream.

It should improve over time.

Offering network services from a container

To allow a service running inside a container to be reached from a network were the host is connected, we should add an iptables rule like this one in the host: